Critical Security Flaws Leave Over 13,000 Ivanti Gateways at Risk

February 15, 2024

Several Ivanti Connect Secure and Policy Secure endpoints are still susceptible to a host of security vulnerabilities that were initially revealed over a month ago. These vulnerabilities, identified as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, are of high to critical severity and involve authentication bypass, server-side-request forgery, arbitrary command execution, and command injection issues.

Some of these vulnerabilities have reportedly been exploited by nation-state actors before being leveraged on a larger scale by a diverse set of threat actors. The CVE-2024-22024 vulnerability, for instance, is an XXE flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and ZTA gateways, allowing unauthorized access to restricted resources. Although there are no confirmed active exploitations yet, Ivanti has advised immediate application of available security updates or mitigations when patches are not available.

According to threat monitoring service Shadowserver, internet scans reveal over 3,900 Ivanti endpoints vulnerable to CVE-2024-22024, with most of them being in the United States. There are also approximately 1,000 Ivanti endpoints still vulnerable to CVE-2024-21887, a flaw that enables authenticated admins to execute arbitrary commands on vulnerable appliances by sending specially crafted requests. This vulnerability, along with CVE-2023-46805, an authentication bypass issue, was reportedly exploited by Chinese hackers.

Security researcher Yutaka Sejiyama shared his Shodan scan results, reporting that as of February 15, 2024, there were 13,636 Ivanti servers that had yet to apply patches for the mentioned vulnerabilities. Despite the availability of security updates for these vulnerabilities over a month ago, more than half of the total number of internet-exposed Ivanti servers (24,239) remain unpatched. Sejiyama's research also shows that only 21.1% of servers have patched the CVE-2024-22024 vulnerability, leaving 19,132 servers exposed to the dangerous unauthorized access flaw.

The swift disclosure of flaws affecting Ivanti products over a short period has left administrators with little time to prepare for patch application. This complicates remediation efforts and increases the risk of Ivanti systems being left vulnerable for extended periods, providing threat actors with a large list of potential victims.

Related News

• Ivanti SSRF Flaw Exploited by Hackers to Deploy New DSLog Backdoor
• Ivanti Issues Urgent Warning for New Authentication Bypass Vulnerability
• Widespread Exploitation of Ivanti SSRF Zero-Day Vulnerability Observed
• CISA Instructs Federal Agencies to Disconnect Ivanti VPN Instances Amidst Zero-Day Exploits
• Ivanti Alerts on Two New High-Severity Vulnerabilities, One Currently Under Active Exploitation

Latest News

• CISA Issues Alert on Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
• CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog
• Microsoft Warns of Critical Exchange Server Bug Exploited as Zero-Day
• Critical Privilege Elevation Flaw in Zoom's Windows App Patched
• Critical RCE Vulnerability in Microsoft Outlook: Easy to Exploit, Hard to Defend